[PATCH] staging: wilc1000: fix NULL dereference inside wilc_scan()

* [PATCH] staging: wilc1000: fix NULL dereference inside wilc_scan()
@ 2018-12-15  2:32 Ajay.Kathat
  0 siblings, 0 replies; only message in thread
From: Ajay.Kathat @ 2018-12-15  2:32 UTC (permalink / raw)
  To: linux-wireless; +Cc: devel, gregkh, Adham.Abozaeid, Ajay.Kathat

From: Ajay Singh <ajay.kathat@microchip.com>

Added NULL check before accessing 'hidden_net' pointer inside
wilc_scan() to fix the issue found by static code checker.

Fixes: 8f1a0ac1eba7 ("staging: wilc1000: handle scan operation callback from cfg80211 context")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
---
 drivers/staging/wilc1000/host_interface.c | 48 +++++++++++++++++--------------
 1 file changed, 26 insertions(+), 22 deletions(-)

diff --git a/drivers/staging/wilc1000/host_interface.c b/drivers/staging/wilc1000/host_interface.c
index b8603f2..70c854d 100644
--- a/drivers/staging/wilc1000/host_interface.c
+++ b/drivers/staging/wilc1000/host_interface.c
@@ -246,27 +246,29 @@ int wilc_scan(struct wilc_vif *vif, u8 scan_source, u8 scan_type,
 
 	hif_drv->usr_scan_req.ch_cnt = 0;
 
-	wid_list[index].id = WID_SSID_PROBE_REQ;
-	wid_list[index].type = WID_STR;
-
-	for (i = 0; i < hidden_net->n_ssids; i++)
-		valuesize += ((hidden_net->net_info[i].ssid_len) + 1);
-	hdn_ntwk_wid_val = kmalloc(valuesize + 1, GFP_KERNEL);
-	wid_list[index].val = hdn_ntwk_wid_val;
-	if (wid_list[index].val) {
-		buffer = wid_list[index].val;
-
-		*buffer++ = hidden_net->n_ssids;
-
-		for (i = 0; i < hidden_net->n_ssids; i++) {
-			*buffer++ = hidden_net->net_info[i].ssid_len;
-			memcpy(buffer, hidden_net->net_info[i].ssid,
-			       hidden_net->net_info[i].ssid_len);
-			buffer += hidden_net->net_info[i].ssid_len;
-		}
+	if (hidden_net) {
+		wid_list[index].id = WID_SSID_PROBE_REQ;
+		wid_list[index].type = WID_STR;
+
+		for (i = 0; i < hidden_net->n_ssids; i++)
+			valuesize += ((hidden_net->net_info[i].ssid_len) + 1);
+		hdn_ntwk_wid_val = kmalloc(valuesize + 1, GFP_KERNEL);
+		wid_list[index].val = hdn_ntwk_wid_val;
+		if (wid_list[index].val) {
+			buffer = wid_list[index].val;
+
+			*buffer++ = hidden_net->n_ssids;
+
+			for (i = 0; i < hidden_net->n_ssids; i++) {
+				*buffer++ = hidden_net->net_info[i].ssid_len;
+				memcpy(buffer, hidden_net->net_info[i].ssid,
+				       hidden_net->net_info[i].ssid_len);
+				buffer += hidden_net->net_info[i].ssid_len;
+			}
 
-		wid_list[index].size = (s32)(valuesize + 1);
-		index++;
+			wid_list[index].size = (s32)(valuesize + 1);
+			index++;
+		}
 	}
 
 	wid_list[index].id = WID_INFO_ELEMENT_PROBE;
@@ -316,8 +318,10 @@ int wilc_scan(struct wilc_vif *vif, u8 scan_source, u8 scan_type,
 		  jiffies + msecs_to_jiffies(HOST_IF_SCAN_TIMEOUT));
 
 error:
-	kfree(hidden_net->net_info);
-	kfree(hdn_ntwk_wid_val);
+	if (hidden_net) {
+		kfree(hidden_net->net_info);
+		kfree(hdn_ntwk_wid_val);
+	}
 
 	return result;
 }
-- 
2.7.4


^ permalink raw reply related	[flat|nested] only message in thread